https://community.splunk.com/t5/All-Apps-and-Add-ons/Sankey-Diagram-Custom-Visualization-One-event-in-multiple/m-p/364347#M44005 <P>The <A href="http://docs.splunk.com/Documentation/Splunk/7.0.0/SearchReference/Streamstats">streamstats</A> command should do what you need here.</P> <P>Specifically, you'll want to use it with a <CODE>window=2</CODE> and use the <CODE>first</CODE> and <CODE>last</CODE> stats function to pull out your times ( <CODE>_time</CODE>) or values to create a duration. </P> <P>You'll want something like </P> <PRE><CODE>... my search here ... | streamstats window=2 first(_time) AS first_time, last(_time) AS last_time, first(&lt;fieldname&gt;) as first_val, last(&lt;fieldname&gt;) as last_val | eval duration = first_time - last_time </CODE></PRE> <P>Where you replace with whatever gave you the field with values "A", "B", and so on.</P> <P>Here's a run-anywhere as an example. In it I create a fake "nums" that I use - that's the first 4 lines. You'll want to start with the streamstats right after you have your data.</P> <PRE><CODE>| makeresults | eval nums="3 7 8 12 15 19" | makemv delim=" " nums | mvexpand nums | streamstats window=2 last(nums) AS oldest first(nums) AS newest | eval duration=oldest-newest </CODE></PRE> <P>The resulting output will hopefully be easily adaptable to your own needs.</P> Tue, 03 Oct 2017 10:51:02 GMT Richfez 2017-10-03T10:51:02Z https://community.splunk.com/t5/All-Apps-and-Add-ons/Sankey-Diagram-Custom-Visualization-One-event-in-multiple/m-p/364346#M44004 <P>I have events by this pattern:<BR /> time id state</P> <P>e.g.:<BR /> 2017-03-10 10:30:00 123 A<BR /> 2017-03-10 10:30:01 123 B<BR /> 2017-03-10 10:30:02 123 C<BR /> 2017-03-10 10:30:03 123 D</P> <P>What i can get with "| transaction id"<BR /> A B duration<BR /> C D duration</P> <P>For Sankey diagram need to transform them into pattern</P> <P>e.g.:<BR /> A B duration<BR /> B C duration<BR /> C D duration</P> <P>In shortcut I need one event to be in two transactions. Is there some trick to achieve this?</P> Tue, 03 Oct 2017 10:07:17 GMT https://community.splunk.com/t5/All-Apps-and-Add-ons/Sankey-Diagram-Custom-Visualization-One-event-in-multiple/m-p/364346#M44004 sosapes 2017-10-03T10:07:17Z https://community.splunk.com/t5/All-Apps-and-Add-ons/Sankey-Diagram-Custom-Visualization-One-event-in-multiple/m-p/364347#M44005 <P>The <A href="http://docs.splunk.com/Documentation/Splunk/7.0.0/SearchReference/Streamstats">streamstats</A> command should do what you need here.</P> <P>Specifically, you'll want to use it with a <CODE>window=2</CODE> and use the <CODE>first</CODE> and <CODE>last</CODE> stats function to pull out your times ( <CODE>_time</CODE>) or values to create a duration. </P> <P>You'll want something like </P> <PRE><CODE>... my search here ... | streamstats window=2 first(_time) AS first_time, last(_time) AS last_time, first(&lt;fieldname&gt;) as first_val, last(&lt;fieldname&gt;) as last_val | eval duration = first_time - last_time </CODE></PRE> <P>Where you replace with whatever gave you the field with values "A", "B", and so on.</P> <P>Here's a run-anywhere as an example. In it I create a fake "nums" that I use - that's the first 4 lines. You'll want to start with the streamstats right after you have your data.</P> <PRE><CODE>| makeresults | eval nums="3 7 8 12 15 19" | makemv delim=" " nums | mvexpand nums | streamstats window=2 last(nums) AS oldest first(nums) AS newest | eval duration=oldest-newest </CODE></PRE> <P>The resulting output will hopefully be easily adaptable to your own needs.</P> Tue, 03 Oct 2017 10:51:02 GMT https://community.splunk.com/t5/All-Apps-and-Add-ons/Sankey-Diagram-Custom-Visualization-One-event-in-multiple/m-p/364347#M44005 Richfez 2017-10-03T10:51:02Z https://community.splunk.com/t5/All-Apps-and-Add-ons/Sankey-Diagram-Custom-Visualization-One-event-in-multiple/m-p/364348#M44006 <P>Thank you it helped find me a way!</P> Tue, 03 Oct 2017 15:35:28 GMT https://community.splunk.com/t5/All-Apps-and-Add-ons/Sankey-Diagram-Custom-Visualization-One-event-in-multiple/m-p/364348#M44006 sosapes 2017-10-03T15:35:28Z https://community.splunk.com/t5/All-Apps-and-Add-ons/Sankey-Diagram-Custom-Visualization-One-event-in-multiple/m-p/364349#M44007 <P>Excellent! </P> <P>It would be very useful to those who stumble across this answer later if you could provide the search you ended up with here and mark the question as accepted.</P> <P>Second best (and good enough) is just clicking "Accept" so everyone knows there's a valid answer!</P> <P>Thanks! And glad we could help!</P> <P>-Rich</P> Tue, 03 Oct 2017 15:56:42 GMT https://community.splunk.com/t5/All-Apps-and-Add-ons/Sankey-Diagram-Custom-Visualization-One-event-in-multiple/m-p/364349#M44007 Richfez 2017-10-03T15:56:42Z